Digital Signature System, and Method

This application is based upon and claims the benefit of the priority of Japanese patent application No. 2024-155250, filed on Sep. 9, 2024, the disclosure of which is incorporated herein in its entirety by reference thereto.

The present disclosure relates to a digital signature system, method and non-transitory medium.

Digital signature is a technology which enables to verify a creator of an electronic document and check that the document has not been altered after creation thereof.

Key generation: A set of a signing key (secret key) sk and a verification key (public key) vk are generated. A digital signature algorithm typically includes a sequence of fundamental processes: key generation, signing, and verification.

where κ is a security parameter.

Signing: A signature σ for a message (document) m to be signed is generated with the signing key sk. More specifically, the signature σ with the signing key (secret key) sk is generated for the message m or a hash value obtained by applying a hash function to the message m. The key generation algorithm may be configured to, instead of receiving the security parameter, receive common (public) parameters generated from the security parameter by a setup algorithm to generate a set of a signing key (secrete or private key) sk and a verification key (public key) vk.

Verification: Correctness of the message (document) m and the signature σ is verified, using the verification key vk.

1) whether the signature was generated using a signing key that corresponds to the verification key or not, and 2) whether the signature was generated for the message (document) or not,and returns 1 for acceptance and 0 for rejection. The function Verify ( ) performs verification all at once as to

Key generation: Using biometric information, a verification key is generated. Signing: A signature σ for a message is generated using biometric information. Verification: Correctness of the message and the signature is verified, using the verification key. Digital signatures using biometric information have been proposed as Fuzzy signatures, which includes a sequence of following processes:

1 [NPL 1] Haruna Higo, Toshiyuki Isshiki, Saki Otsuki, Kenji Yasunaga, “Fuzzy Signature with Biometric-Independent Verification”, 2023 International Conference of the Biometrics Special Interest Group (BIOSIG), IEEE, 20-22 Sep. 2023 NPL (Non-Patent Literature)discloses a fuzzy signature system with a distributed signature scheme in which one of distributed keys is replaced with biometric information.

A biometric-based distributed signature scheme has not been proposed in digital signature algorithms in which a signature is generated using secret information in addition to a signing key. As an example of such algorithms, there is EdDSA (Edwards-curve Digital Signature Algorithm), which is included in the CRYPTREC Ciphers List.

One of the purposes of the present disclosure is to provide a system, method, and non-transitory medium, each enabling to solve at least the above issue.

According to an embodiment of the disclosure, there is provided a digital signature system including a first signature generation apparatus and a second signature generation apparatus, each including at least a processor; a memory storing a program executable by the processor; and a communication interface, communicatively connectable to each other.

a first helper key generated using first secret information corresponding to a verification key and first biometric information; helper data generated using second secret information for distributed signature generation and the first biometric information; and third secret information for distributed signature generation; acquire and store in a storage: generate a second distributed key; and generate a second distributed signature for a message to be signed, by using the second distributed key and the third secret information and sending/receiving information with the second signature generation apparatus. The processor included in the first signature generation apparatus is configured to:

acquire second biometric information; acquire the helper data, restore the second secret information using the second biometric information and the helper data; generate a first distributed key; and generate the first distributed signature for the message, by using the first distributed key and the second secret information and sending/receiving information with the first signature generation apparatus. The processor included in the second signature generation apparatus is configured to:

generate a signature for the message using: one of the first distributed signature or the second distributed signature generated by the one of the first signature generation apparatus or the second signature generation apparatus; and other of the first distributed signature or the second distributed signature generated by other of the first signature generation apparatus or the second signature generation apparatus. The processor included in one of the first signature generation apparatus or the second signature generation apparatus is configured to

a first helper key generated using first secret information corresponding to a verification key and first biometric information; helper data generated using second secret information for distributed signature generation and the first biometric information; and third secret for information distributed signature generation; acquiring and storing in a storage: generating a second distributed key; and generating a second distributed signature for the message to be signed by using the second distributed key and the third secret information, and sending/receiving information with a second apparatus. The method includes: by a first apparatus: acquiring the second biometric information; acquiring the helper data; restoring the second secret information using the second biometric information and the helper data; generating a first distributed key; and generating a first distributed signature for the message, by using the first distributed key and the second secret information and sending/receiving information with the first apparatus.The method includes: by the second apparatus: generating a signature for the message using: one of the first distributed signature or the second distributed signature generated by the one of the first apparatus or the second apparatus; and other distributed signature generated by other of the first apparatus or the second apparatus. by one of the first apparatus or the second apparatus, A digital signature method according to an embodiment of the disclosure includes:

a first helper key generated using first secret information corresponding to a verification key and first biometric information; helper data generated using second secret information for distributed signature generation and the first biometric information; and third secret information for distributed signature generation; acquiring and storing in a storage: generating a second distributed key; and generating a second distributed signature for the message to be signed by using the second distributed key and the third secret information and sending/receiving information with a second processing apparatus.The non-transitory storage medium stores a program causing a second processing apparatus to execute processing including: acquiring the second biometric information; acquiring helper data generated using second secret information and first biometric information; restoring the second secret information using the second biometric information and the helper data; generating the first distributed key; and generating the first distributed signature for the message by using the first distributed key and the second secret information and sending/receiving information with the first processing apparatus.The non-transitory storage medium stores the program causing one of the first processing apparatus or the second processing apparatus to execute processing including generating a signature for the message using: one of the first distributed signature or the second distributed signature generated by the one of the first processing apparatus or the second processing apparatus; and other of the first distributed signature or the second distributed signature generated by other of the first processing apparatus and the second processing apparatus. According to an embodiment of the disclosure, there is provided a non-transitory storage medium storing a program causing a first processing apparatus to execute processing including:

According to the present disclosure, a biometric distributed signature scheme can be realized for a digital signature scheme in which a signature is generated using secret information in addition to a signing key.

The following describes embodiments of the present disclosure. EdDSA, a signature scheme included in the CRYPTREC Ciphers List, uses an elliptic curve ((twisted) Edwards curve) on a finite field GF (p) (where p is an odd prime number, p=2{circumflex over ( )}255−19 for Ed25519 and p=2{circumflex over ( )}488−2{circumflex over ( )}244−1 for Ed488, where the caret ({circumflex over ( )}) is used as an exponentiation operator). A signing key (secret key for signing) sk includes two secret information, i.e., secret information s (secret key) corresponding to a verification key vk, which is a public key, and secret information s′ which is used for nonce generation in a signing phase. The secret information s′ for nonce generation is used to calculate a hash value in signature generation. A hash function used in EdDSA is SHA-512 in Ed25519 and SHAKE25 in Ed448, neither of which is homomorphic. Thus, the hash value thereof cannot be computed using a two party distributed signing protocol. Therefore, when considering an application of EdDSA to a two-party distributed signature scheme, it is necessary to manage the secret information s′ for nonce generation on a signer side, as described below.

There has been proposed no distributed signature generation technology using biometric information with which the signer' side won't need to manage such secret information (secret information s (secret key) and secret information s′ for nonce generation).

The above issue is only an example, but the present disclosure proposes a biometric-based distributed signature scheme that addresses at least the above issue.

1 1 1 2 According to systems (methods) presented in the present disclosure, a first helper key (c) generated using first secret information (secret key) (s) corresponding to a verification key and first biometric information (w) is registered (stored and retained) in a key-based signature generation apparatus (first signature generation apparatus). As for second secret information (s′) used in generation of a distributed signature, helper data (c) generated using the second secret information (s′) and the first biometric information (w) are registered (stored and retained) in the key-based signature generation apparatus. In addition, third secret information (s′) used in the generation of the distributed signature is registered (stored and retained) in the key-based signature generation apparatus.

1 1 1 1 The biometric-based signature generation apparatus (second signature generation apparatus) acquires second biometric information (w′) in a signing phase, acquires the helper data (c) from the key-based signature generation apparatus (first signature generation apparatus), and restores the second secret information (s′) using the second biometric information (w′) and the helper data (c). The biometric-based signature generation apparatus may further generate a first distributed key (either one of Δ or x′) and execute process for generating a first distributed signature for a message (m: electronic document) to be signed, by using the first distributed key and the second secret information (s′) and sending/receiving information with the key-based signature generation apparatus.

2 The key-based signature generation apparatus (first signature generation apparatus) may generate a second distributed key (the other of Δ or x′) in the signing phase. The key-based signature generation apparatus may, by using the second distributed key and the third secret information (s′) and sending/receiving information with the biometric-based signature generation apparatus (second signature generation apparatus) to generate a second distributed signature for the message (m).

One of the key-based signature generation apparatus (first signature generation apparatus) or the biometric-based signature generation apparatus (second signature generation apparatus) may generate a signature for the message (m) using one of the first and second distributed signatures generated by its own apparatus and the other distributed signature generated by the other apparatus.

The biometric-based signature generation apparatus (second signature generation apparatus) may generate a second helper key (c′) using the first distributed key (Δ) and the second biometric (w′), and send the second helper key (c′) to the key-based signature generation apparatus (first signature generation apparatus), which receives the second helper key (c′) to generate a second distributed key (x′) using the first helper key (c) and the second helper key (c′).

The key-based signature generation apparatus (first signature generation apparatus) may generate the second helper key (c′) using the helper data (c1) and the second distributed key (Δ), and send the second helper key to the biometric-based signature generation apparatus (second signature generation apparatus), which receives the second helper key (c′) to generate the first distributed key (x′) using the second helper key (c′) and the second biometric information (w′).

The following describes an overview of EdDSA, as a premise of an example scheme of the present disclosure.

Using a system common parameter para: {b, p, a, d, c, L, n, B, H, E, PH} of EdDSA (reference may be made to, for example, Reference Literature 1 or Request for Comments (RFC) 8032 for details), (Twisted) Edwards curve is defined as below.

2b An output length of H:{0,1}*→{0,1}is 2b bits, where the followings hold:

1 1 1 FIGS.A,B, andC Three protocols of EdDSA: key generation (KeyGen), signing (Sign), and verification (Verify) include algorithms shown in, respectively (based on Reference Literature 1).

1 FIG.A The key generation algorithm KeyGen intakes the parameter para as input, generates the signing key sk and the verification key vk, and returns them as a return value (return (vk, sk)).

ε KeyGen generates a random number se of b-bit length. In more detail, a bit sequence of b-bits is generated uniformly at random from {0,1} and set to s.

0 2b−1 KeyGen generates a bit sequence of 2b-bits (h, . . . h) by a hash function H (output length of His 2b bits).

s is a (n+1)-bit length secret information with the most significant bit ((n+1)-bit) being 1, i-bit (=c, . . . , n−1) being hi and the lower c-bit being 0.

ε s′ is upper b-bit length secret information of H (s).

The verification key vk of the signature is given as

with a bit length b, where B is a generator (with a prime order L) of the group (a base point of the elliptic curve). That is,

The left-hand side of Equation (11) represents

(where [L]B is a notation used in RFC8032) and O is a zero element of the group operation.

The signing key sk=(s, s′) is (b+n+1) bits long.

1 FIG.B A signature generation algorithm: Sign intakes (sk, vk, m) as input and returns a signature σ as a return value, which is almost equivalent to a Schnorr signature, but unlike the Schnorr signature, instead of randomly generating an internal random number r, Sign generates a hash value of secret information s′ and a plaintext to be signed (message) m (by concatenating s′ and m) to be as a nonce r.

In Sign, the base point B is added r times to obtain R.

Next, R and the verification key vk (=A) are concatenated with PH(m) (R∥A∥PH(m)) and a hash value thereof is computed.

The pre-hash function PH is an identity function: PH(m)=m for PureEdDSA, while PH(m)=H′(m) (hash value of m) for HashEdDSA.

As in a normal Schnorr signature, r is added to e multiplied by the secret information s (modulo operation with a modulo L).

1 FIG.C A signature verification algorithm denoted as Verify intakes (vk, m, σ) as input and returns a verification result t as a return value.

If A and R are not contained in E(p, a, d), Verify returns τ=0, i.e., if A, R∉E (p, a, d), then return τ:=0; else

Equivalent to signature verification for the Schnorr signature, but in RFC8032, in verification of a signature (R,z), instead of

the following is used.

where the caret ({circumflex over ( )}) is used as an exponentiation operator, and B is a base point of the elliptic curve (cyclic group of a prime order L).

If a legitimate signer has created the signature, A, R∈<B> holds, and [z]B=R+[e]A also holds. But, we use the following as a verification equation:

2 FIG. In the following, we consider a two-party distributed signature with respect to EdDSA.illustrates the two-party distributed signature between P1 and P2 (based on the disclosure in Reference literature 2 and a study of the inventor and others). In P1 and P2, the numbers in parentheses represent the step numbers in each apparatus (unit), but it is noted that there may be cases where the steps are not performed in this order.

2 FIG.A (1) With the parameter para as input, a b-bit length random number se is generated and a 2b bit sequence is generated by the hash function H In P1, key generation (KeyGen) is performed as shown in.

i Out of the 2b bit sequence, the first distributed key s1 of (n+1) bit length where the (n+1)th bit is 1, i bits are h(i=c, . . . , n−1), and lower c bits are 0 is obtained.

1 i 1 The first distributed key sof (n+1) bit length where out of the 2b bit sequence, the (n+1)th bit is 1, i bits are h(i=c, . . . , n−1), and lower c bits are 0 is obtained. The first distributed secret information s′is secret information for first nonce generation.

1 (2) Compute A=[s1]B. 1 (3) Transmit Ato P2. 2 2 (4) Receive A(=[s]B) from P2. 1 2 (5) Add rational points Aand Aon the elliptic curve to obtain a rational point A on the elliptic curve.

(6) Let A be a verification key vk. 1 1 1 (7) Let (s, s′) be a distributed signature secret key sk.

It is noted that step (3) may be omitted and A obtained in step (5) may be transmitted to P2.

2 FIG.A f (1) With the parameter para as input, a bit-length random number sis generated and generate a 2b bit sequence is generated by the hash function H Similar to P1, P2 performs the key generation (KeyGen) shown in.

2 i The second distributed key sof (n+1) bit length where out of the 2b bit sequence, the (n+1)th bit is 1, i bits are h(i=c, . . . , n−1), and lower c bits are 0 is obtained.

2 f The second distributed secret information s′is the upper b-bit length of H(s).

2 2 (2) Compute A=[s]B. 1 1 (3) Receive A(=[s]B) from P1. 2 (4) Transmit Ato P1. 1 2 (5) Add the rational points Aand Aon the elliptic curve to obtain A on the elliptic curve.

(6) Let A be a verification key vk. 2 (7) Let (s2, s′2) be a distributed signature secret key sk.

It is noted that step (3) may be deleted and A transmitted from P1 may be received instead of step (5).

2 FIG.B In a signing phase, P1 performs distributed signature generation (Sign) as shown in.

1 1 1 1 1 1 1 (1) Compute a first nonce r(integer), which is a hash value of the first distributed secret information s′and message m. That is, the first nonce ris a hash value obtained by concatenating s′and m and then inputting the concatenated result to the hash function H. The distributed signature generation (Sign) may take the verification key vk (=A), the distributed signature secret key sk(=(s, s′)), and the message m, as inputs, and may perform following steps.

1 1 (2) Compute a first rational point Ron the elliptic curve using the first nonce r.

1 (3) Transmit Rto P2. 2 (4) Receive Rfrom P2.

1 2 (5) Add the first rational point Rand the second rational point Ron the elliptic curve to obtain a third rational point R. It is noted that step (4) may be performed before step (3), as long as it is before step (5).

(6) Concatenate the third rational point R and the verification key vk(=A) with PH(m) and input the concatenated result into the hash function H to obtain a hash value e.

2 (7) Receive zfrom P2. 2 1 (8) Using z, e and s, compute

(9) Compute a signature σ:=(R,z) and set the signature σ(=(R,z)) to be a return value.

It is noted that step (3) may be omitted and R obtained in step (5) may be transmitted to P2.

2 FIG.B 2 2 2 2 2 2 2 (1) Compute a second nonce r(integer), which is a hash value of the second distributed secret information s′and message m. That is, the second nonce ris a hash value obtained by concatenating s′and m and inputting the concatenated result into the hash function H. P2 performs distributed signature generation (Sign) as shown in. The distributed signature generation (Sign) may take the verification key vk (=A), the distributed signature secret key sk(=(s, S′)), and the message m, as inputs, and may perform following steps.

2 (2) Compute a second rational point Ron the elliptic curve.

1 (3) Receive the first rational point Ron the elliptic curve from P1. 2 (4) Transmit the second rational point Ron the elliptic curve to P1.

1 2 (5) Add the first rational point Rand the second rational point Ron the elliptic curve to obtain the third rational point R on the elliptic curve. It is noted that Step (3) and (4) do not have to be in this order.

(6) Concatenate the third rational point R on the elliptic curve and the signature verification key vk(=A) to PH(m) and input the concatenated result into the hash function H to obtain a hash value e.

2 (8) Transmit zto P1.

It is noted that step (3) may be deleted, and instead of step (5), R transmitted from P1 may be received.

As for the signature σ=(R,z), Equation (30) is expressed as follows.

1 2 1 2 where z composes the signature σ=(R, z) for message m with the secret key (s=s+s) and the secret information s′and s′.

The verification apparatus receives the signature σ from P1 and executes the verification algorithm Verify, which takes the verification key vk, message m, and signature σ as inputs and checks if the following holds.

For example, if c=3,

2 FIGS. 1 2 In, P1 and P2 perform key generation (KeyGen), respectively, but not limited thereto. For example, the key generation (i.e., generation of vk, skand sk) may be performed for P1 and P2 by entities different from P1 and P2 (such as the first and second key generation apparatuses).

2 FIG. 2 FIG. 1 1 1 1 1 In the example in, the distributed signature secret key sk=(s, s′) needs to be managed on the P1 side. It is noted that Reference Literature 2 does not disclose biometric-based distributed signature in which distributed keys based on biometric information are used to generate a signature between two parties in a distributed manner. However, in biometric-based distributed signature, P1 needs to manage at least the secret information s′, as in. When P1 is a client, management of the secret information s′may become a burden on the client.

The above issue is just one example. The present disclosure proposes a new digital signature system (biometric-based distributed signature system) that can at least address the above issue.

3 FIG. 3 FIG. 3 FIG. 3 FIG. 100 110 120 130 140 150 illustrates one of embodiments of the digital signature system proposed in the present disclosure. Referring to, the digital signature systemincludes a biometric-based key generation apparatus, a key-based signature generation apparatus, a biometric-based signature generation apparatus, a verification apparatus, and a secret information generation apparatus. In, numbers in parentheses of each apparatus represent the number of processing steps, but the order of processing is not necessarily limited to that order. In, the sending and receiving of signals are indicated by arrows, but this does not imply unidirectional transmission and may include, for example, such a series of handshakes including transmission of a request for acquiring information from a reception apparatus to a sending apparatus, transmission of information from the transmission apparatus to the reception apparatus, and transmission of an acknowledgment from the reception apparatus to the sending apparatus, or, such a series of handshakes including transmission of a transmission request from a transmission apparatus to a reception apparatus, transmission of an acknowledgement from the reception apparatus to the transmission apparatus, transmission of information from the transmission apparatus to the reception apparatus, and transmission of an acknowledgement from the reception apparatus to the transmission apparatus. The same applies to the following drawings.

110 (1) Acquire first biometric information w of a user. (2) Generate a secret key (secret information) s and a verification key vk (=A=[s]B) corresponding to the secret key s, which is a public key. The private key (secret information) s may be generated by Equation (8). The verification key vk may be generated by Equation (10). (3) Generate a first helper key c using the private key (secret information) s corresponding to the verification key vk and the first biometric information w. The first helper key c may be a sketch (secure sketch) that is a composite of an encoded value ENC(s) of the private key (secret information) s and the first biometric information w, where ENC(s) represents the encoded value obtained by an encoding function ENC with s inputted thereinto. The biometric-based key generation apparatusmay perform, as a part of the key generation algorithm, for example, following steps.

1 1 1 (4) Generate the first secret information s′i for the first nonce generation. The first secret information s′i may be computed, for example, using Equation (9). The first biometric information w is used to generate helper data c. The helper data cmay be a composition of the encoded value ENC(s′) of the first secret information s′i and the first biometric information w. It is noted that on the right side of Equation (39), addition is used as a composition operation, but an operation such as subtraction and bit-wise exclusive OR may be used. For example, when w is binary data, c may be obtained by bit-wise exclusive OR operation with ENC(s).

1 1 120 (5) The first helper key c and helper data care transmitted to the key-based signature generation apparatus. Although c may be referred to as helper data, it is referred as a helper key to distinguish it from the helper data c. c is also referred to as the first helper key to distinguish it from c′ below. 140 120 120 130 (6) The verification key vk (=A) is transmitted to the verification apparatus. The verification key vk is also transmitted to the key-based signature generation apparatus. This is because the verification key vk (=A) is used in signing phase (signature generation). The verification key vk (=A) may be one of common parameters that can be commonly referenced by the key-based signature generation apparatusand the biometric-based signature generation apparatus. It is noted that on the right side of equation (40), as in Equation (39), a composition operation is not limited to addition, but an operation such as subtraction and bit-wise exclusive OR may be used.

150 2 2 (1) Generate second secret information s′for second nonce generation. The second secret information s′may be generated, for example, using Equation (24). 120 1 2 (2) The second secret information s′2 is transmitted to the key-based signature generation apparatus. The secret key s may be denoted as the first secret information. In this case, the above first secret information s′and second secret information s′may be designated as the second and third secret information. The secret information generation apparatusmay perform, as a part of the key generation algorithm, for example, following steps.

130 (1) Acquire second biometric information w′ of a user (signer). (2) Acquire a message m to be signed. 1 120 (3) Receive helper data cfrom the key-based signature generation apparatus. 1 1 1 (4) Restore the first secret information s′i using the helper data cand the second biometric information w′. For example, the first secret information s′may be restored by inputting a difference between cand w′ into a decoding function DEC. When generation a signature, the biometric-based signature generation apparatusmay perform, for example, following steps.

The right side of Equation (41) is expressed as

Modalities of the first biometric information w and the second biometric information w′ are set to be identical (e.g., sensors that acquire the first biometric information w and the second biometric information w′ are the same model). When a difference between w and w′ may be less than an error correction range of the decoding function DEC, and the following holds:

130 120 130 1 1 1 1 1 (5) Select a first distributed key Δ (integer) uniformly at random from an information source. The biometric-based signature generation apparatusreceives the helper data cfrom the key-based signature generation apparatuseach time it creates a signature and obtains the first secret information s′by decoding a difference between the helper data cand the second biometric information w′. It is unnecessary for the biometric-based signature generation apparatusto manage the first secret information s′. The first secret information s′i is obtained by decoding the difference between the helper data cand the second biometric information w′.

Generate a second helper key c′ using the first distributed key Δ and the second biometric information w′.

120 120 1 120 (6) Perform the distributed signature generation process, by using the first secret information s′and the first distributed key Δ, and sending/receiving information with the distributed signature generation process of the key-based signature generation apparatus, for example, as follows. Transmit the second helper key c′ and a message m to the key-based signature generation apparatus. The message m may be transmitted to the key-based signature generation apparatusafter the message m is obtained in step (2).

1 1 1 Generate the first nonce r=H (s′,m), using the first secret information s′and the message m.

1 1 1 Compute the first rational point (R=[r]B) on the elliptic curve corresponding to the first nonce r.

1 2 2 2 120 Compute a third rational point R on the elliptic curve (R=R+R) which is a result of the addition on the elliptic curve line with a second rational point (R=[r]B) corresponding to the second nonce 2 received from the key-based signature generation apparatus.

1 1 1 Generate a first partial signature (first distributed signature) z(=r+e*Δ, where e:=H(R, A, PH(m))), using R, the first nonce r, the verification key vk(=A=[s]B), the message (m) and the first distributed key Δ.

1 2 1 2 2 2 120 140 (7) Transmit the signature σ=(R, z) and the message m to the verification apparatus. Generate a signature σ=(R,z), where R is the third rational point on the elliptic curve and z is a composite value (z=r+r+e*(Δ+x′)) composed by the first partial signature zand the second partial signature (second distributed signature) z(=r+e*x′), where zis generated in the key-based signature generation apparatus, by using R, the second nonce 12, the verification key vk (=A=[s]B), the message m and the second distributed key x′.

120 1 1 1 1 110 120 120 (1) Receive the first helper key c and the helper data cfrom the biometric-based key generation apparatusand register them in a storage part. The first helper key c registered in the key-based signature generation apparatusis an encoded value of the private key s corresponding to the verification key vk and embedded in the first biometric information. Thus, security against extraction and/or compromise of the private key s and/or first biometric information w from the first helper key c can be ensured. In addition, the helper data cregistered in the key-based signature generation apparatusis the encoded value of the secret information s′for the first nonce generation embedded in the first biometric information w, and security against extraction and/or compromise of the secret information s′can also be ensured. 2 150 (2) Receive the second secret information s′from the secret information generation apparatusand register it in the storage part. 1 130 (3) Transmit the helper data cto the biometric-based signature generation apparatus. (4) Generate the second distributed key x′. The key-based signature generation apparatusmay perform, for example, following steps.

130 130 (5) Perform distributed signature generation process, by using the second secret information s′2 and the second distributed key x′ and sending/receiving (exchanging) information with the distributed signature generation process of the biometric-based signature generation apparatus. For example, the second helper key c′(=ENC (Δ)+w′) may be received from the biometric-based signature generation apparatus, and the second distributed key x′ may be generated, using the first helper key c and the second helper key c′.

2 2 2 2 2 2 the second rational point R=[r]B on the elliptic curve corresponding to the second nonce ris computed, 2 130 the second rational point Rmay be transmitted to the biometric-based signature generation apparatus, and 1 2 1 2 2 2 130 130 using the third rational point R(=R+R) which is a result of addition on the elliptic curve of the first rational point Rfrom the biometric-based signature generation apparatusand the second rational point R, the verification key vk(=A=[s]B), the message m and the second distributed key x′, a second partial signature z(=r+e*x′, where e:=H(R, A, PH(m))) may be generated and transmitted to the biometric-based signature generation apparatus. For example, the second nonce r=H(s′,m) may be generated using the second secret information s′.

140 130 (1) Receive a signature σ=(R, z) and the message m from the biometric-based signature generation apparatus, 120 (2) Verifies whether or not σ=(R, z) and the message m are correct, using the verification key vk. The signature σ=(R, z) and message m may be received from the key-based signature generation apparatus. The verification apparatusthat verifies a signature for the message m using the verification key may perform, for example, following steps.

130 110 150 120 150 120 150 110 120 2 In some implementations, the biometric-based signature generation apparatus, biometric-based key generation apparatus, and secret information generation apparatusmay be configured as client-side apparatuses connected by a network (e.g., wired or wireless LAN (Local Area Network), mobile communication network, etc.), respectively, and the key-based signature generation apparatusmay be configured as a server apparatus (e.g., cloud server, etc.) connected to the client-side apparatuses via a wired/wireless LAN, mobile communication network, WAN (Wide Area Network) such as The Internet, etc., though not limited thereto. Depending on the implementation, the secret information generation apparatusmay be configured as a server-side apparatus and as an entity independent of the key-based signature generation apparatus. For example, the server-side secret information generation apparatusmay receive a request from the client-side biometric-based key generation apparatusto generate secret information s′for transmission to the key-based signature generation apparatus.

4 FIG. 3 FIG. 100 110 111 112 113 114 115 116 117 118 illustrates an example of a functional configuration (functional blocks) of each apparatus included in the systemof. The biometric-based key generation apparatusincludes a first biometric information acquisition part, a secret information generation part, a verification key generation part, a verification key transmission part, a first helper key generation part, a first helper key transmission part, a helper data generation partand a helper data transmission part.

150 151 152 The secret information generation apparatusincludes a secret information generation partand a secret information transmission part.

130 131 132 133 134 135 136 137 138 139 138 138 120 138 130 110 130 The biometric-based signature generation apparatusincludes a second biometric information acquisition part, a helper data acquisition part, a secret information restoration part, a message acquisition part, a first distributed key generation part, a second helper key generation part, a second helper key and message transmission part, a distributed signature generation part, and a signature and message transmission part. The distributed signature generation partuses the verification key vk (=A) to generate the distributed signature. A verification key acquisition unit (not shown) may be provided within the distributed signature generation partthat obtains the verification key vk (=A) from the key-based signature generation apparatus. A verification key acquisition unit (not shown) may be provided separately from the distributed signature generation part. It is unnecessary for the biometric-based signature generation apparatusto receive the verification key vk generated by the biometric-based key generation apparatusand to store and manage the verification key vk on the side of the biometric-based signature generation apparatus.

120 121 121 122 122 123 123 123 124 125 126 120 120 120 127 140 139 130 8 FIG. The key-based signature generation apparatusincludes a first helper key acquisition partA, a first helper key storage partB, a secret information acquisition partA, a secret information storage partB, a helper data acquisition partA, a helper data storage partB, a helper data transmission partC, a second helper key and message acquisition part, a second distributed key generation part, a distributed signature generation part, a verification key acquisition partA, and a verification key storage partB. Although not shown for drawing convenience, the key-based signature generation apparatusmay include a signature message transmission unit (in) that transmits a signature and a message to the verification apparatus, instead of the signature and message transmission partincluded in the biometric-based signature generation apparatus.

140 141 142 143 144 The verification apparatusincludes a verification key acquisition part, a verification key storage part, a signature and message acquisition part, and a signature verification part.

5 FIG. 4 FIG. 5 FIG. illustrates the key (secret information) generation process in the system of. The numbers in parentheses for each apparatus inare processing step numbers in each apparatus.

110 111 (1) The first biometric information acquisition partacquires first biometric information w of a user. The first biometric information may be face information, fingerprint information, vein information (finger or palm), iris information, etc. 112 2 (2) The secret information generation partgenerates a bit sequence (random number) of b-bits uniformly at random from {0,1} to s. The biometric-based key generation apparatusmay perform, for example, following steps.

0 2b−1 A bit sequence (h. . . h) of 2b bits is generated using the hash function H.

s is a (n+1)-bit-long secret information with the most significant bit ((n+1)-bit) being 1, i-bit (=c, . . . , n−1) being hi and lower c-bit being 0.

ε s′1 is the upper b-bit length secret information of H(s).

113 (3) The verification key generation partgenerates the verification key vk using the secret information s (secret key) and a base point B of the elliptic curve.

115 (4) The first helper key generation partgenerates the first helper key c using the encoded value ENC(s) of the secret information s (secret key) and the first biometric information w.

The operation + may be − or may be a bit-by-bit exclusive or operation, etc., depending on the encoding.

The encoding function ENC converts a plaintext mA in an information source space to a code cA. The decoding function DEC converts the code cA back to the plaintext mA.

The following needs to hold for any code cA′, a difference of which from cA, i.e., the code of the plaintext mA contained in the information source space, is within a correction range (capability).

In the following, a linear code is used.

is a code word for mA+mB, and

In Equation (55), the “+” on the left and right sides need not be the same operation.

With respect to coding, for example, an error-correcting code (Hamming code, BCH (Bose-Chaudhuri-Hocquenghem) code, RS (Reed-Solomon) code, LDPC (low-density parity-check code) code, etc.) may be used. Alternatively, lattice coding, for example, may be used. More specifically, a method using an integer lattice, a triangular lattice, or a more complex lattice may be used.

When the biometric information w is n-bit binary data, the encoded value ENC(s) may be n-bit binary data.

116 120 (5) The first helper key transmission parttransmits the first helper key c to the key-based signature generation apparatus. 117 1 1 (6) The helper data generation partgenerates helper data cusing the encoded value ENC (s′) of the secret information s′i and the first biometric information w. When the biometric information w is an n-dimensional vector, the encoded value ENC(s) may be an n-dimensional vector.

118 120 1 (7) The helper data transmission parttransmits helper data cto the key-based signature generation apparatus. 114 140 114 120 (8) The verification key transmission parttransmits the verification key vk (=A=[s]B) to the verification apparatus. The verification key transmission partmay also transmit the verification key vk(=A=[s]B) to the key-based signature generation apparatus.

1 1 The first helper key c and helper data cmay be transmitted together or separately. The order of transmission of the verification key vk, the first helper key c and helper data cis arbitrary.

150 151 f (1) Secret information generation partgenerates a bit sequence (random number) of b-bits uniformly at random from {0,1} and sets it to s. The secret information generation apparatusmay perform, for example, following steps.

0 2b−1 A bit sequence (h. . . h) of 2b bits is generated using the hash function H.

2 0 2b−1 151 120 2 (2) The secret information generation parttransmits the secret information s′for second nonce generation to the key-based signature generation apparatus. where s′is the upper b-bits of the bit sequence (h. . . h).

140 141 110 (1) The verification key acquisition partreceives the verification key transmitted from the biometric-based key generation apparatus. 141 142 (2) The verification key acquisition partstores the verification key in the verification key storage part. The verification apparatusmay perform, for example, following steps.

120 121 123 120 110 121 123 120 (1) The first helper key acquisition partA, helper data acquisition partA and verification key acquisition partA receive the first helper key c, helper data c1 and verification key vk transmitted from the biometric-based key generation apparatus, respectively. It is of course possible for the first helper key acquisition partA, helper data acquisition partA, and verification key acquisition partA to receive the first helper key c, helper data c1, and verification key vk at separate times. 122 150 2 (2) The secret information acquisition partA receives the secret information s′for second nonce generation transmitted from the secret information generation apparatus. 121 121 123 123 120 120 122 122 1 2 (3) The first helper key acquisition partA stores the first helper key c in the first helper key storage partB, the helper data acquisition partA stores the helper data cin the helper data storage partB, and the verification key acquisition partA stores the verification key vk in the verification key storage partB. The secret information acquisition partA stores the secret information s′in the secret information storage partB. The key-based signature generation apparatusmay perform, for example, following steps.

120 121 123 122 120 100 4 FIG. 6 FIG. 4 FIG. In the key-based signature generation apparatusof, the first helper key storage partB, helper data storage partB, secret information storage partB, and verification key storage partB may be separate storage apparatuses (storage) or a single storage part.illustrates the signature generation process and the verification process in the systemof.

130 131 (1) The second biometric information acquisition partacquires the user's second biometric information w′. The second biometric information w′ and the first biometric information w is assumed to be of the same modality. 134 (2) The message acquisition partA acquires a message m (electronic document) to be signed. 132 120 132 120 120 1 1 1 (3) The helper data acquisition partacquires helper data cfrom the key-based signature generation apparatus. The helper data acquisition partmay transmit a request for acquiring helper data cto the key-based signature generation apparatusand receive the helper data cfrom the key-based signature generation apparatus. 133 1 1 (4) The secret information restoration partrestores the secret information s′for first nonce generation using the helper data cand the second biometric information w′. When generating a signature, the biometric-based signature generation apparatusmay perform, for example, following steps.

When the second biometric information w′ is close to the first biometric information w (i.e., a distance between w and w′ is within a correction range (capability), as described above), a result of the decoding operation.

1 135 (5) The first distributed key generation partselects (generates) the first distributed key Δ uniformly at random from an information source. 138 (6) The distributed signature generation partgenerates a second helper key c′ using the value ENC (Δ) encoded by the first distributed key Δ and the second biometric information w′. is s′.

137 120 137 (7) The second helper key and message transmission parttransmits the second helper key c′ and message m to the key-based signature generation apparatus. Although the second helper key and message transmission partis shown as a single unit, it is of course possible to configure the second helper key transmission unit and the message transmission unit as separate units. 138 126 120 (8) The distributed signature generation partexchanges information with the distributed signature generation partof the key-based signature generation apparatusto generate a signature. 138 1 (8A) The distributed signature generation partinputs a value of the secret information s′for first nonce generation concatenated with the message m into the hash function H to compute the first nonce (integer).

138 1 1 1 (8B) The distributed signature generation partuses rto find the first rational point Ron the elliptic curve (base point B is added to the first nonce rtimes).

138 126 120 138 126 120 138 120 2 (8C) The distributed signature generation partreceives the second rational point Ron the elliptic curve transmitted from the distributed signature generation partof the key-based signature generation apparatus. The distributed signature generation partreceives the verification key vk transmitted from the distributed signature generation partof the key-based signature generation apparatus. It suffices that in the distributed signature generation part, acquisition of the verification key vk stored in the key-based signature generation apparatusmay be done before step (8E), which may as a matter of course be done separately from acquisition of the second rational point R2. 138 1 2 (8D) The distributed signature generation partfinds the third rational point R by addition of the first rational point Ron the elliptic curve and the second Ron the elliptic curve.

138 (8E) The distributed signature generation partconcatenates the third rational point R, the verification key vk(=A), and PH(m) and inputs them into the hash function H to compute a hash value e.

138 126 120 138 126 120 1 1 1 (8F) The distributed signature generation parttransmits the first rational point Ron the elliptic curve to the distributed signature generation partof the key-based signature generation apparatus. The transmission of Rby the distributed signature generation partmay be performed at any timing in response to a request to obtain Rfrom the distributed signature generation partof the key-based signature generation apparatus. 138 1 (8G) The distributed signature generation partcomputes the first partial signature z.

1 1 2 2 1 138 126 120 138 126 120 2 2 2 2 2 1 2 1 2 (8H) The distributed signature generation partreceives z(=r+e*x′) from the distributed signature generation partof the key-based signature generation apparatus. The distributed signature generation partmay obtain zby making a request to the distributed signature generation partof the key-based signature generation apparatusto obtain z. It is noted that since zis an element z (=z+z) of the signature σ=(R,z) when combined (added) with the first partial signature (first distributed signature) z, zmay be called a second partial signature (second distributed signature). 138 2 1 (8I) The distributed signature generation partadds the second partial signature (second distributed signature) zto the first partial signature (first distributed signature) zto compute z of the signature σ=(R,z). It is noted that since zis an element z (=z+z) of the signature σ=(R,z) when combined (added) with z, zmay be called the first partial signature (first distributed signature) because

138 140 130 140 1 1 1 1 2 1 2 (9) The distributed signature generation parttransmits the signature σ=(R,z) and the message m to the verification apparatus.It is noted that the biometric-based signature generation apparatusmay delete (or reset or zero-clear the corresponding variable regions, etc.) the helper data c, the first secret information s′, the first distributed key Δ and the second helper key c′ after the distributed signature generation process (step (8)) is completed. The information on r, R, R, e, z, z, z generated or obtained in the distributed signature creation step (step (8)) may also be deleted (or relevant variable areas, storage areas, etc. may be reset or cleared to zero) after the signature σ=(R, z) is transmitted to the verification apparatus.

120 120 5 FIG. 123 130 1 (4) The helper data transmission partC transmits helper data cto the biometric-based signature generation apparatus. 124 130 (5) The second helper key/message acquisition partacquires the second helper key c′ and message m from the biometric-based signature generation apparatus. 125 (6) The second distributed key generation partgenerates a second distributed key x′ using the first helper key c and the second helper key c′. The key-based signature generation apparatusmay perform, for example, following steps, following the step (3) of the key-based signature generation apparatusshown in.

The right side of Equation (69) is

When the first biometric information w is close to the second biometric information w′ (i.e., a difference (distance) between w and w′ is within a correction range), the Equation (70) becomes

126 138 130 138 (7) The distributed signature generation partexchanges information with the distributed signature generation partof the biometric-based signature generation apparatusto generate a partial signature for transmission to the distributed signature generation part. 126 2 2 (7A) The distributed signature generation partcomputes the second nonce r(integer), which is the hash value obtained by concatenating the secret information s′for second nonce generation and the message m.

126 2 2 (7B) The distributed signature generation partfinds the second rational point Ron the elliptic curve (adding the base point B rtimes).

126 138 130 126 138 130 126 2 2 2 6 FIG. (7C) The distributed signature generation parttransmits Rto the distributed signature generation partof the biometric-based signature generation apparatus. The distributed signature generation parttransmits the verification key vk to the distributed signature generation partof the biometric-based signature generation apparatus. It is noted that in, the second rational point Rand the verification key vk are transmitted together, but the distributed signature generation partmay, of course, transmit the second rational point Rand the verification key vk separately. 126 138 130 1 (7D) The distributed signature generation partacquires Rfrom the distributed signature generation partof the biometric-based signature generation apparatus. 126 1 2 (7E) The distributed signature generation partcomputes the third rational point R by adding the first rational point Ron the elliptic curve and the second rational point Ron the elliptic curve using addition on the elliptic curve.

126 (7F) The distributed signature generation partconcatenates the third rational point R and the signature verification key vk (=A) with PH(m), then inputs them into the hash function H to compute a hash value e.

126 (7G) The distributed signature generation partcomputes

126 138 130 2 (7H) The distributed signature generation parttransmits zto the distributed signature generation partof the biometric-based signature generation apparatus.

120 12 1 2 2 It is noted that in the key-based signature generation apparatus, after the distributed signature generation process (step (7)) is completed, the second helper key c′ and the second distributed key x′ may be deleted (or the corresponding variable areas, memory areas, etc. may be reset or zero cleared). It is also noted that the information, R, R, e, and zgenerated or obtained in the distributed signature generation process (step (7)) may be deleted (or the corresponding variable areas, memory areas, etc. may be reset or zero cleared).

140 (3) Receives the signature σ and the message m. (4) Verify whether a set of the signature σ and the message m is correct using verification key vk. The verification apparatusmay perform following steps.

If the above equation holds, the signature is accepted (Verify (vk, σ, m) returns, for example, 1), else (if it does not hold), the signature is rejected (Verify(vk,σ,m) returns, for example, 0).

6 FIG. 7 FIG. 4 FIG. 130 120 130 120 120 120 140 139 130 120 1 1 1 2 In, the steps (8G) to (8I) of the distributed signature generation process of the biometric-based signature generation apparatusand the step (7H) of the distributed signature generation process of the key-based signature generation apparatusare performed as shown in. In step (8H) of the distributed signature generation process of the biometric-based signature generation apparatus, zis transmitted to the distributed signature generation process of the key-based signature generation apparatus. In step (7H) of the distributed signature generation process of the key-based signature generation apparatus, zis received, and in step (7I), z=z+zis computed. In step (8), the signature σ=(R,z) and the message m may be transmitted from the key-based signature generation apparatusto the verification apparatus. In this case, instead of the signature/message transmission partof the biometric-based signature generation apparatusshown in, the key-based signature generation sincludes a signature/message transmission unit.

The following describes an example in which an encoding using a square lattice disclosed in for example Reference Literature 3 is applied as a non-limiting example of the encoding function ENC where the first biometric information w and the second biometric information w′ are n-dimensional vectors.

The first biometric information w and the second biometric information w′ are assumed to be n-dimensional real number vectors.

∞ ∞ A distance between the first biometric information w and the second biometric information w′ may be expressed, for example, by the Chebyshev distance (also termed as Ldistance or Lnorm) as follows.

∞ (n) If the distance d(w, w′) is less than or equal to a predetermined threshold

the first biometric information w and the second biometric information w′ are considered to be identical (same biometric information).

A lattice point set L may be defined as follows.

L={Y y , . . . , y y y ≤K} 1 n i i =()|is a non-negative integer, 0≤   (81)

h i where K is a given positive integer that is sufficiently larger than tand |w|.

A function int( ) that maps a single integer u to an n-dimensional integer vector Y∈L may be defined as below.

−1 The inverse function int( ) is a function that maps an integer u to an n-dimensional integer vector Y.

1 1 When the first secret information s′(a positive integer) is input to the inverse function int-( ) an n-dimensional integer vector A is obtained.

The encoding function ENC may be defined as below.

It is noted that as the encoding function ENC, the following holds.

1 110 The encoded value of s′in step (6) of the biometric-based key generation apparatusbecomes an n-dimensional vector and is given as below.

1 110 5 FIG. Therefore, the helper data cgenerated by the biometric-based key generation apparatusinis expressed as follows.

h −1 As a non-limiting example where the square lattice is used for encoding and the encoding function ENC is 2t*int( ) the decoding function DEC may be given as

130 6 FIG. Step (4) of the biometric-based signature generation apparatusshown in, computes

where an argument of the decoding function DEC is

When the first biometric information w and the second biometric information w′ are such that

h 1 1 n n each element of the n-dimensional vector (½t) (w−w′, . . . , w−W′) in Equation (91) is less than or equal to ±½ with an integer value thereof being 0, and the following holds.

110 5 FIG. In step (6) of the biometric-based key generation apparatusshown in, the encoded value of the secret information s becomes an n-dimensional integer vector and is given as below.

110 5 FIG. Therefore, in the biometric-based key generation apparatusshown in, the first helper key c generated in step (4) is given as below.

130 6 FIG. In the biometric-based signature generation apparatus, in step (6) of, the encoded value of the first distributed key Δ is given as below.

130 6 FIG. Therefore, in the biometric-based signature generation apparatusof, the second helper key c′ in step (6) is expressed as follows.

120 6 FIG. In the key-based signature generation apparatusshown in, the input argument c−c′ of the decoding function DEC (c−c′) in step (6) is expressed as follows.

h 1 1 n n then, since each element of the n-dimensional vector (½t) (w−w′, . . . , w−W′) in Equation (98) is less than or equal to ±½,

120 130 The message m may be provided externally to each of the key-based signature generation apparatusand the biometric-based signature generation apparatus.

130 120 130 120 138 130 130 120 120 1 1 1 1 1 1 6 FIG. 6 FIG. For the purpose of enhancing security, a zero-knowledge proof (non-interactive zero-knowledge: NIZK) may be performed from the biometric-based signature generation apparatusto the key-based signature generation apparatusto prove knowledge regarding the first nonce r. In this case, the biometric-based signature generation apparatusand the key-based signature generation apparatusshare a proof generation key and a proof verification key. For example, in, the distributed signature generation partof a prover, which is the biometric-based signature generation apparatus, may perform computation of the first rational point Rof the elliptic curve using the first nonce r(step (8B) of the biometric-based signature generation apparatusin), and then may generate a proof (NIZK proof) π1 from a specific example of a proposition to be proven (instance: knowing the first nonce r) and an evidence (witness) that the proposition is correct, and may transmit the instance (R) and the proof π1 to the key-based signature generation apparatus, which is a verifier. The verifier, key-based signature generation apparatus, may verify the proof π1 using the proof verification key after receiving the instance (R) and the proof π1.

2 2 2 2 2 2 2 120 130 126 120 120 12 130 130 130 120 6 FIG. 6 FIG. A non-interactive zero-knowledge proof of knowing the second nonce rmay be performed from the key-based signature generation apparatusto the biometric-based signature generation apparatus. For example, in, the distributed signature generation partof the key-based signature generation apparatus, which is a prover, may perform computation of the second rational point Rof the elliptic curve using, for example, the second nonce r(step (7C) of the key-based signature generation apparatusin), and then may generate a prooffrom the specific example of a proposition to be proven (instance: knowing the second nonce r) and an evidence that the proposition is correct, and then transmit the instance (R) and the proof π2 to the verifier, the biometric-based signature generation apparatus. The verifier, the biometric-based signature generation apparatus, may receive the instance (R) and the proof π2 and then verifies the proof π2 using the proof verification key. The biometric-based signature generation apparatusmay decommit the commitment to the instance (R) and the proof π2, and the key-based signature generation apparatusmay verify the proof π2 after the commitment has been decommitted (Reference Literature 4).

8 FIG. 4 FIG. 110 150 140 is a diagram illustrating another example of the system of the present disclosure. The biometric-based key generation apparatus, the secret information generation apparatus, and the verification apparatusare the same as those shown in.

130 131 132 133 134 134 137 135 138 The biometric-based signature generation apparatusincludes a second biometric information acquisition part, a helper data acquisition part, a secret information restoration part, a message acquisition partA, a message transmission partB, a second helper key acquisition partA, a first distributed key generation part, and a distributed signature generation part.

120 121 121 122 122 123 123 123 128 125 129 129 126 127 120 120 The key-based signature generation apparatusincludes a first helper key acquisition partA, a first helper key storage partB, a secret information acquisition partA, a secret information storage partB, a helper data acquisition partA, a helper data storage partB, a helper data transmission partC, a message acquisition partA, a second distributed key generation part, a second helper key generation partA, a second helper key transmission partB, a distributed signature generation part, a signature/message transmission part, a verification key acquisition partA, and a verification key storage partB.

9 FIG. 8 FIG. 5 FIG. 5 FIG. 100 110 150 120 120 110 120 is a diagram illustrating a process of each apparatus of the systemof. It is noted that the biometric-based key generation apparatusand the secret information generation apparatusare the same as in, so the descriptions thereof are omitted. The verification key acquisition partA of the key-based signature generation apparatusacquires the verification key vk generated by the biometric-based key generation apparatusand stores it in the verification key storage partB (processing steps 1 and 2 in).

130 131 (1) The second biometric information acquisition partacquires the user's second biometric information w′. The second biometric information w′ and the first biometric information w are of the same modality. 134 (2) The message acquisition partA acquires a message m (electronic document) to be signed. 134 120 (3) The message transmission partB transmits the message m to key-based signature generation apparatus. 132 120 137 120 1 (4) The helper data acquisition partacquires the helper data ctransmitted from the key-based signature generation apparatus. The second helper key acquisition partA acquires the second helper key c′ transmitted from the key-based signature generation apparatus. 133 1 1 (5) The secret information restoration partrestores the secret information s′for first nonce generation using the helper data cand the second biometric information w′. In signing phase, the biometric-based signature generation apparatusmay perform following steps.

As described above, when the second biometric information w′ is close to the first biometric information w (such as both from the same person), a result of the decoding operation

1 135 (6) The first distributed key generation partgenerates the first distributed key x′ by using is s′.

The right side of Equation (104), DEC(c′−w′), is

When the first biometric information w is close to the second biometric information w′ (such as both from the same person),

138 126 120 (7) The distributed signature generation partexchanges information with the distributed signature generation partof the key-based signature generation apparatusto generate a signature. 138 1 1 (7A) The distributed signature generation partconcatenates the secret information s′for first nonce generation and the message m (plaintext to be signed), inputs them into the hash function H, and computes the first nonce (integer), which is a hash value of s′and m.

138 1 1 (7B) The distributed signature generation partuses rto find the first rational point Ron the elliptic curve.

138 126 120 138 126 120 1 1 1 (7C) The distributed signature generation parttransmits Rto the distributed signature generation partof the key-based signature generation apparatus. It is noted that the transmission of Rby the distributed signature generation partmay be performed at any timing in response to a request for Rfrom the distributed signature generation partof the key-based signature generation apparatus. 138 120 138 120 2 2 (7D) The distributed signature generation partreceives the second rational point Ron the elliptic curve transmitted from the key-based signature generation apparatus. The distributed signature generation partacquires the verification key vk from the key-based signature generation apparatus. The acquisition of the verification key vk may be performed before executing step (7F) and may be separate from that of the second rational point R. 138 1 2 (7E) The distributed signature generation partadds the rational points Rand Ron the elliptic curve to obtain a rational point R on the elliptic curve.

138 (7F) The distributed signature generation partconcatenates the rational point R and the verification key vk (=A) with PH(m), then inputs them into the hash function H to compute a hash value e.

138 1 (7G) The distributed signature generation partcomputes the first distributed signature (first partial signature) z.

138 126 120 1 (7H) The distributed signature generation parttransmits zto the distributed signature generation partof the key-based signature generation apparatus.

130 1 1 1 1 2 1 In the biometric-based signature generation apparatus, after the distributed signature generation process (step (7)) is completed, the helper data c, the second helper key c′, the first secret information s′, and the first distributed key x′ may be deleted (or the corresponding variable areas, memory areas, etc. may be reset or zero cleared). In addition, the information r, R, R, e, and zgenerated or acquired in the distributed signature generation process (step (7)) may be deleted (or the corresponding variable areas, memory areas, etc. may be reset or zero cleared) after the distributed signature generation process (step (7)) is completed.

120 5 FIG. 130 (4) Acquire the message m from the biometric-based signature generation apparatus. (5) Generate (Choose) the second distributed key Δ uniformly at random from the information source. (6) Obtain the second helper key c′ by combining an encoded value ENC(Δ) of the first helper key c and the second distributed key Δ. The key-based signature generation apparatusmay perform following steps after the step (3) inin signature generation.

1 138 130 (7) Transmit the second helper key c′ and helper data cto the distributed signature generation partof the biometric-based signature generation apparatus. 126 138 130 (8) The distributed signature generation partexchanges information with the distributed signature generation partof the biometric-based signature generation apparatusto generate a distributed signature. 126 2 2 2 (8A) The distributed signature generation partinputs the secret information s′for second nonce generation and the message m into the hash function H, and computes the second nonce r(an integer), which is a hash value of s′and m.

126 2 (8B) The distributed signature generation partcomputes a second rational point Ron the elliptic curve (by adding the base point B 12 times).

126 138 130 1 (8C) The distributed signature generation partobtains the first rational point Ron the elliptic curve from the distributed signature generation partof the biometric-based signature generation apparatus. 126 138 130 126 138 130 126 2 2 2 9 FIG. (8D) The distributed signature generation parttransmits the second rational point Rto the distributed signature generation partof the biometric-based signature generation apparatus. The distributed signature generation parttransmits the verification key vk (=A) to the distributed signature generation partof the biometric-based signature generation apparatus. It is noted that in, the second rational point Rand the verification key vk are transmitted together, but the distributed signature generation partmay transmit the second rational point Rand the verification key vk separately. 126 1 2 (8E) The distributed signature generation partcomputes a third rational point R by adding the first rational point Rand the second rational point Ron the elliptic curve using an addition operation on the elliptic curve.

126 (8F) The distributed signature generation partconcatenates the third rational point R, the verification key vk (=A), and PH(m), then inputs them into the hash function H to obtain e.

126 2 (8G) The distributed signature generation partcomputes the second distributed signature (second partial signature) z.

is computed. 126 138 130 1 (8H) The distributed signature generation partreceives zfrom the distributed signature generation partof the biometric-based signature generation apparatus. 126 1 2 (8I) The distributed signature generation partadds zto zto obtain z (z of the signature σ=(R, z)).

126 127 127 140 (9) The signature and message transmission parttransmits the signature σ=(R, z) and the message m to the verification apparatus. The distributed signature generation partoutputs the signature σ=(R, z) to the signature and message transmission part.

120 12 140 1 2 1 2 In the key-based signature generation apparatus, after the distributed signature generation process (step (8)) is completed, the second distributed key Δ and the second helper key c′ may be deleted (or the corresponding variable area, memory area, etc. may be reset or zero cleared). Furthermore, the information, R, R, e, z, z, and z generated or obtained in the distributed signature generation process (step (8)) may be deleted (or the corresponding variable areas, memory areas, etc. may be reset or zero cleared) after the signature σ=(R,z) and message m are sent to the verification apparatus.

10 FIG. 9 FIG. 10 FIG. 8 FIG. 4 FIG. 10 FIG. 9 FIG. 130 130 140 127 120 139 130 130 130 120 138 130 2 2 1 is a variation example of, in which the generation of the signature σ=(R, z) is performed on the biometric-based signature generation apparatus, and the signature σ and the message m are transmitted from the biometric-based signature generation apparatusto the verification apparatus. In the example of, the signature/message transmission partof the key-based signature generation apparatusinis not required, and instead, a signature/message transmission part() is provided in the biometric-based signature generation apparatus. In, the distributed signature generation process: steps (7A) to (7G) of the biometric-based signature generation apparatusare the same as the distributed signature generation process: steps (7A) to (7G) of the biometric-based signature generation apparatusin. In step (7H) of the distributed signature generation process, zis received from the key-based signature generation apparatus, and in step (7I), the distributed signature generation partof the biometric-based signature generation apparatusadds zto zto obtain z.

139 130 140 4 FIG. (10) The signature/message transmission unit (in) of the biometric-based signature generation apparatustransmits the signature σ=(R, z) and the message m to the verification apparatus.

130 120 The biometric-based signature generation apparatusand the key-based signature generation apparatusmay each obtain the message m individually.

130 120 120 The biometric-based signature generation apparatustransmits the hash value PH(m)=H′(m) of the message m (used in the calculation of e=H(R, A, PH(m)) in step (7F)) to the key-based signature generation apparatus, and the key-based signature generation apparatusmay use it in computation of the hash value (e=H(R, A, PH(m))) in step (8F).

110 120 120 1 The biometric-based key generation apparatusmay temporarily transmit the first helper key c and helper data cto an apparatus other than the key-based signature generation apparatus, store them in the other apparatus, and have the key-based signature generation apparatusrequest them from the other apparatus each time a signature is generated.

150 120 120 The secret information generation apparatusmay transmit the secret information to an apparatus other than the key-based signature generation apparatus, store it in the other apparatus, and obtain it each time a signature is generated by the key-based signature generation apparatusmaking a retrieval request to the other apparatus.

140 130 The verification apparatusmay transmit the verification result to the biometric-based signature generation apparatuswhich is a transmission source of the signature.

11 FIG.A 11 FIG.B 11 FIG.A 100 110 120 130 140 150 100 201 202 203 204 202 201 202 203 120 140 110 130 203 204 204 110 130 110 130 150 100 120 andare schematic diagrams each illustrating an example of implementing the above-described digital signature systemusing computers equipped with communication functions and capable of communicating with each other via a network. Referring to, each apparatus (,,,,) of the systemincludes a processor(multiple processors are also possible), a storage apparatus, an input/output apparatus, and a communication interface. The storage apparatusmay be configured with semiconductor storage such as RAM (Random Access Memory), ROM (Read Only Memory), or EEPROM (Electrically Erasable and Programmable ROM), as well as HDD (Hard Disk Drive), CD (Compact Disc), or DVD (Digital Versatile Disc). The processorexecutes a program (not shown) stored in the storage apparatusto implement the processing and functions of each apparatus. The input/output apparatusmay also be configured with a keyboard and display. For example, in the key-based signature generation apparatus, the verification result (accepted or rejected) from the verification apparatusmay be displayed on an output apparatus such as a display. In addition, in the biometric-based key generation apparatusand the biometric-based signature generation apparatusthat acquire biometric information, the input/output apparatusmay also be configured to include a sensor for acquiring biometric information. In this case, the sensor may be an image sensor (camera) when the biometric information is a face, iris, etc., a fingerprint sensor when the biometric information is a fingerprint, or, for example, an LED (Light Emitting Diode) that emits near-infrared light and a near-infrared camera that captures the light transmitted through the finger when the biometric information is a finger/palm vein. It is noted that the sensor may also be a removable sensor, such as a USB (Universal Serial Bus) apparatus. The communication interfacemay be configured to communicate with each other via a LAN (Local Area Network), WAN (Wide Area Network) such as the Internet, wireless LAN, mobile communication network, etc., using a network interface card, transceiver, etc. The communication interfacemay be configured to communicate with external sensors (e.g., Bluetooth-connected sensors) in the biometric-based key generation apparatusand the biometric-based signature generation apparatus, and to receive biometric information acquired by the external sensors. The apparatuses,, andof the systemmay be client apparatuses (terminals), and apparatusmay be a server apparatus such as a cloud server.

11 FIG.B 110 120 130 140 150 100 300 303 302 301 110 120 130 140 150 100 303 303 110 120 130 140 150 110 120 130 140 150 110 120 130 140 150 301 is a schematic diagram illustrating an example in which one or more of the apparatuses (,,,,) of the digital signature systemdescribed above are implemented as virtual machines of a virtualization systemusing server virtualization technology. Multiple virtual machines (Virtual Machine: VM)operate on a virtualization infrastructure, such as a hypervisor, implemented on a physical machine, such as a server apparatus. One or more of the apparatuses (,,,,) of the digital signature systemmay be implemented as virtual machines (VM). With a single physical server, a virtualized server environment where multiple servers are running is provided. Each virtual machine (VM)is preferably configured to operate in an isolated environment within memory space. In this case, within the virtual machine VM, a program that implements the processing of any of the apparatuses (,,,,) runs on the virtual machine's virtual operating system (OS). The virtual machine VM, which virtually implements any of the apparatuses (,,,,) may be configured to communicate with other virtual machines via a virtual network, or may be configured to communicate with other apparatuses (,,,,) via a LAN, Internet, or other WAN through the physical interface (communication interface) of the physical machine.

[Reference 1] CRYPTREC EX-3002-2020, Eiichiro Fujisaki, “Investigation and Evaluation of the Security of the EdDSA Digital Signature Scheme,” December 2020, [Accessed Jun. 10, 2024] Internet <URL: https://www.cryptrec.go.jp/exreport/cryptrec-ex-3002-2020.pdf> [Reference 2] Q. Feng, D. He, M. Luo, Z. Li, and K.-K. R. Choo, “Practical Secure Two-Party EdDSA Signature Generation with Key Protection and Applications in Cryptocurrency,” 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020, pp. 137-147, 2020 [Reference 3] JP Patent No. 5707311 [Reference 4] Lindell, Yehuda. “Fast secure two-party ECDSA signing.” Advances in Cryptology-CRYPTO 2017: 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, Aug. 20-24, 2017, Proceedings, Part II 37. Springer International Publishing, 2017 The first biometric information w and the second biometric information w′ may be binary vectors, real number vectors, or integer vectors.

(Note 1) A digital signature system comprises a first signature generation apparatus and a second signature generation apparatus, each of which includes at least a processor and a communication interface.The first signature generation apparatus is configured to: a first helper key generated using first secret information corresponding to a verification key and first biometric information; helper data generated using second secret information for distributed signature generation and the first biometric information; and third secret information for distributed signature generation; acquire and store in a storage: generate a second distributed key; and generate a second distributed signature for a message to be signed, by using the second distributed key and the third secret information and sending/receiving information with the second signature generation apparatus.The second signature generation apparatus is configured to: acquire second biometric information; acquire the helper data; restore the second secret information using the second biometric information and the helper data; generate a first distributed key; and by using the first distributed key and the second secret information, and sending/receiving information with the first signature generation apparatus, generate the first distributed signature for the message.One of the first signature generation apparatus and the second signature generation apparatus is configured to generate a signature for the message using: one (a first one) of the first distributed signature or the second distributed signature generated by the one of the first signature generation apparatus or the second signature generation apparatus; and other (a second one) of the first distributed signature or the second distributed signature generated by other of the first signature generation apparatus or the second signature generation apparatus. generate a second helper key using the first distributed key and the second biometric information; and transmit the second helper key to the first signature generation apparatus. (Note 2) In the digital signature system according to Note 1, the second signature generation apparatus is configured to: The above-described embodiments/examples may be supplemented as following notes, though not limited thereto.

receive the second helper key; and generate the second distributed key using the first helper key and the second helper key. generate a second helper key using the helper data and the second distributed key; and transmit the second helper key to the second signature generation apparatus. (Note 3) In the digital signature system according to Note 1, the first signature generation apparatus is configured to: The first signature generation apparatus is configured to:

receive the second helper key; and generate the first distributed key using the second helper key and the second biometric information. (Note 4) In any of the digital signature systems according to Notes 1 to 3, including a key generation apparatus and a secret information generation apparatus, each including at least a processor and a communication interface.The key generation apparatus is configured to: acquire the first biometric information; generate the first secret information corresponding to a secret key; generate the verification key from the first secret information and a base point of an elliptic curve; generate the first helper key using the first secret information and the first biometric information; generate the second secret information; generates the helper data using the second secret information and the first biometric information; and transmit the first helper key and the helper data to the first signature generation apparatus. The second signature generation apparatus is configured to:

generate the third secret information; transmit the third secret information to the first signature generation apparatus. The secret information generation apparatus is configured to:

receive the first helper key and helper data transmitted from the key generation apparatus and store the first helper key and helper data in a first storage part and a second storage part, respectively; and receive the third secret information transmitted from the secret information generation apparatus and store the third secret information in a third storage part. compute a first hash value related to the second secret information and the message; compute a first point of an elliptic curve from the first hash value and a base point of the elliptic curve; transmit the first point of the elliptic curve to the first signature generation apparatus; compute a second hash value of a third point obtained by adding on the elliptic curve the first point of the elliptic curve and a second point of the elliptic curve received from the first signature generation apparatus, the verification key, and the message; compute a first value as the first distributed signature, which is a sum of the first hash value and a value obtained by multiplying the second hash value by the first distributed key. (Note 5) In any of the digital signature systems according to Notes 1 to 3, the second signature generation apparatus is configured to: The first signature generation apparatus is configured to:

compute a third hash value regarding the third secret information and the message; compute a second point on the elliptic curve from the base point of the elliptic curve using the third hash value; transmit the second point on the elliptic curve to the second signature generation apparatus; compute a fourth hash value of a third point obtained by adding the first point on the elliptic curve received from the second signature generation apparatus and the second point on the elliptic curve on the elliptic curve, the verification key, and the message; and compute a second value, which is a sum of the third hash value and the value obtained by multiplying the fourth hash value by the second distribution key, as the second distributed signature. The first signature generation apparatus is configured to:

compute a third value by adding the second value to the first value; and set a set of the third point on the elliptic curve and the third value as the signature for the message. (Note 6) In the digital signature system of Note 5, each of the operations for obtaining the first value, the second value, and the third value is performed using a modular arithmetic with an order of a base point of the elliptic curve as a modulus. (Note 7) In any of the digital signature systems according to Notes 1 to 6, there is provided a verification apparatus to verify the signature for the message using the verification key, and the first signature generation apparatus or the second signature generation apparatus transmits the signature and the message to the verification apparatus. (Note 8) A digital signature method includes: acquiring and storing: a first helper key generated using first secret information corresponding to a verification key and first biometric information; helper data generated using second secret information for distributed signature generation and the first biometric information; and third secret information for distributed signature generation; generating a second distributed key; and generating a second distributed signature for the message to be signed by using the second distributed key and the third secret information, and sending/receiving information with a second apparatus.The method includes: by a first apparatus: acquiring the second biometric information; acquiring the helper data; restoring the second secret information using the second biometric information and the helper data; generating a first distributed key; and generating a first distributed signature for the message, by using the first distributed key and the second secret information and sending/receiving information with the first apparatus.The method includes, by one of the first apparatus or the second apparatus, generating a signature for the message using: by the second apparatus: one (a first one) of the first distributed signature or the second distributed signature generated by the one of the first apparatus or the second apparatus; and other (a second one) of the first distributed signature or the second distributed signature generated by other of the first apparatus or the second apparatus. (Note 9) The digital signature method of Note 8, includes: generating a second helper key using the first distributed key and the second biometric information; and transmitting the second helper key to the first apparatus.The method includes: by the second apparatus: receiving the second helper key; and generating the second distributed key using the first helper key and the second helper key. by the first apparatus: (Note 10) The digital signature method of Note 8, includes: generating a second helper key using the helper data and the second distributed key; and transmitting the second helper key to the second apparatus, and by the second apparatus, receiving the second helper key; and generating the first distributed key using the second helper key and the second biometric information. by the first apparatus: (Note 11) In any of the digital signature methods according to Notes 8 to 10, includes: acquiring the first biometric information; generating the first secret information corresponding to a secret key; generating the verification key from the first secret information and the base point of the elliptic curve; generating the first helper key using the first secret information and the first biometric information; generating the second secret information; generating the helper data using the second secret information and the first biometric information; and transmitting the first helper key and the helper data to the first apparatus.The method includes: by a third apparatus: generating the third secret information; and transmitting the third secret information to the first apparatus.The method includes: by a fourth apparatus: receiving and storing in the first storage part and second storage part, the first helper key and helper data transmitted from the third apparatus, respectively; receiving and storing in a third storage part the third secret information transmitted from the fourth apparatus. by the first apparatus: (Note 12) The digital signature methods according to Notes 8 to 11, includes: computing a first hash value related to the second secret information and the message; computing a first point of the elliptic curve from the first hash value and a base point of the elliptic curve; transmitting the first point of the elliptic curve to the first apparatus; computing a second hash value of a third point obtained by adding on the elliptic curve the first point of the elliptic curve and a second point of the elliptic curve received from the first apparatus, the verification key, and the message; computing a first value as the first distributed signature, which is a sum of the first hash value and a value obtained by multiplying the second hash value by the first distributed key.The method includes: by the second apparatus: computing a third hash value regarding the third secret information and the message; computing a second point on the elliptic curve from the base point of the elliptic curve using the third hash value; transmitting the second point on the elliptic curve to the second apparatus; computing a fourth hash value of a third point obtained by adding the first point on the elliptic curve received from the second signature generation apparatus and the second point on the elliptic curve on the elliptic curve, the verification key, and the message; computing the second value, which is a sum of the third hash value and the value obtained by multiplying the fourth hash value by the second distribution key, as the second distributed signature.The method includes: by the first apparatus: computing a third value by adding the second value to the first value; and setting a set of the third point on the elliptic curve and the third value as the signature for the message. by the first apparatus or the second apparatus: (Note 13) In the digital signature method of Note 12, each operation for acquiring the first value, the second value, and the third value is performed using modular arithmetic with an order of a base point of an elliptic curve as a modulus. transmitting the signature and the message to a verification apparatus that verifies the signature using the verification key. (Note 14) The digital signature methods of any one of Notes 8 to 13, includes, by the first apparatus or the second apparatus, a first helper key generated using first secret information corresponding to a verification key and first biometric information; helper data generated using second secret information for distributed signature generation and the first biometric information; and third secret information for distributed signature generation; acquiring and storing in a storage: generating a second distributed key; and generating a second distributed signature for the message to be signed by using the second distributed key and the third secret information, and sending/receiving information with a second processing apparatus.The non-transitory storage medium stores a program causing a second processing apparatus to execute processing including: (Note 15) A non-transitory storage medium storing a program causing a first processing apparatus to execute processing including: acquiring second biometric information; acquiring helper data generated using second secret information and first biometric information; restoring the second secret information using the second biometric information and the helper data; generating the first distributed key; and generating the first distributed signature for the message by using the first distributed key and the second secret information and sending/receiving information with the first processing apparatus.The non-transitory storage medium stores the program causing one of the first processing apparatus or the second processing apparatus to execute processing including generating a signature for the message using: one (first one) of the first distributed signature or the second distributed signature generated by the one of the first processing apparatus or the second processing apparatus; and other (second one) of the first distributed signature or the second distributed signature generated by other of the first processing apparatus and the second processing apparatus. generating a second helper key using the first distributed key and the second biometric information; and transmitting the second helper key to the first processing apparatus.The non-transitory storage medium of Note 15 stores the program causing the first processing apparatus to perform processing including: (Note 16) The storage medium of Note 15 stores the program that causes the second processing apparatus to perform processing including receiving the second helper key; and generating the second distributed key using the first helper key and the second helper key. generating the second helper key using the helper data and the second distributed key; and transmitting the second helper key to the second processing apparatus, wherein the non-transitory storage medium stores the program causing the second processing apparatus to execute processing including receiving the second helper key; and generating the first distributed key using the second helper key and the second biometric information. (Note 17) The non-transitory storage medium of Note 15, stores the program causing the first processing apparatus to execute processing including: The first signature generation apparatus or the second signature generation apparatus is configured to:

The disclosures of the above non-patent literature and references are incorporated herein by reference. Within the scope of the disclosure of the present application (including the claims), various modifications, adjustments, and combinations are possible based on the basic technical concept. Furthermore, within the scope of the claims of the present invention, various combinations or selections of disclosure elements (including each element of each Note, each element of each embodiment, each element of each figure, etc.) are possible. That is, the present disclosure naturally includes all disclosures, including the claims, as well as various modifications and revisions that would be obvious to those skilled in the art based on the technical concept.